Skip to content

Commit

Permalink
feat: Add setup_google_authenticator function for configuring SSH wit…
Browse files Browse the repository at this point in the history 
…h Google Authenticator
  • Loading branch information
@Tearran
Tearran committed Sep 2, 2024
1 parent ba88d49 commit b6b5fdb
Show file tree
Hide file tree
Showing 2 changed files with 198 additions and 47 deletions.
180 changes: 134 additions & 46 deletions lib/armbian-configng/config.ng.jobs.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"description": "System wide and admin settings",
"sub": [
{
"id": "S01",
"id": "S00",
"description": "Enable Armbian kernel upgrades",
"command": [
"set_safe_boot unhold"
Expand All @@ -17,7 +17,7 @@
"condition": "[[ -n \"$(apt-mark showhold)\" ]]"
},
{
"id": "S02",
"id": "S01",
"description": "Disable Armbian kernel upgrades",
"command": [
"set_safe_boot freeze"
Expand All @@ -29,7 +29,7 @@
"condition": "[[ -z \"$(apt-mark showhold)\" ]]"
},
{
"id": "S03",
"id": "S02",
"description": "Edit the boot environment",
"command": [
"get_user_continue \"This will open /boot/armbianEnv.txt file to edit\nCTRL+S to save\nCTLR+X to exit\nwould you like to continue?\" process_input",
Expand All @@ -41,19 +41,19 @@
"author": ""
},
{
"id": "S04",
"id": "S03",
"description": "Install Linux headers",
"command": [
"Headers_install"
],
"status": "Pending Review",
"status": "Active",
"doc_link": "https://github.com/armbian/config/wiki#System",
"src_reference": "https://github.com/armbian/config/blob/master/debian-config-jobs#L160",
"author": "https://github.com/Tearran",
"condition": "! are_headers_installed"
},
{
"id": "S05",
"id": "S04",
"description": "Remove Linux headers",
"command": [
"Headers_remove"
Expand All @@ -65,19 +65,19 @@
"condition": "are_headers_installed"
},
{
"id": "S06",
"id": "S05",
"description": "Install to internal storage",
"command": [
"armbian-install"
],
"status": "Pending Review",
"status": "Testing",
"doc_link": "https://github.com/armbian/config/wiki#System",
"src_reference": "",
"author": "https://github.com/igorpecovnik",
"condition": "[[ -n $(ls /sbin/armbian-install) ]]"
},
{
"id": "S30",
"id": "S06",
"description": "Change shell system wide to BASH",
"command": [
"export BASHLOCATION=$(grep /bash$ /etc/shells | tail -1)",
Expand All @@ -87,14 +87,14 @@
"update_skel",
"awk -F'[/:]' '{if ($3 >= 1000 && $3 != 65534 || $3 == 0) print $1}' /etc/passwd | xargs -L1 chsh -s $(grep /bash$ /etc/shells | tail -1)"
],
"status": "Pending Review",
"status": "Testing",
"doc_link": "",
"src_reference": "",
"author": "https://github.com/igorpecovnik",
"condition": "[[ $(cat /etc/passwd | grep \"^root:\" | rev | cut -d\":\" -f1 | cut -d\"/\" -f1| rev) == \"zsh\" ]]"
},
{
"id": "S31",
"id": "S07",
"description": "Change shell system wide to ZSH",
"command": [
"export ZSHLOCATION=$(grep /zsh$ /etc/shells | tail -1)",
Expand All @@ -104,59 +104,147 @@
"update_skel",
"awk -F'[/:]' '{if ($3 >= 1000 && $3 != 65534 || $3 == 0) print $1}' /etc/passwd | xargs -L1 chsh -s $(grep /zsh$ /etc/shells | tail -1)"
],
"status": "Pending Review",
"status": "Active",
"doc_link": "",
"src_reference": "",
"author": "https://github.com/igorpecovnik",
"condition": "[[ $(cat /etc/passwd | grep \"^root:\" | rev | cut -d\":\" -f1 | cut -d\"/\" -f1| rev) == \"bash\" ]]"
},
{
"id": "S40",
"description": "Sub sub menu test",
"id": "S08",
"description": "Manage SSH login options",
"sub": [
{
"id": "S41",
"description": "Sub sub menu item",
"id": "SS01",
"description": "Disable root login",
"command": [
"echo \"Sub sub menu item\""
],
"status": "Active",
"sed -i \"s|^#\\?PermitRootLogin.*|PermitRootLogin no|\" /etc/ssh/sshd_config",
"systemctl restart sshd.service"
],
"status": "Testing",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": ""
},
{
"id": "S42",
"description": "Sub sub menu item 2",
"condition": "grep -q '^PermitRootLogin yes' /etc/ssh/sshd_config"
},
{
"id": "SS02",
"description": "Enable root login",
"command": [
"echo \"Sub sub menu item 2\""
],
"status": "Active",
"sed -i \"s/^#\\?PermitRootLogin.*/PermitRootLogin yes/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Testing",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": ""
},
{
"id": "S43",
"description": "Sub sub menu item 3",
"condition": "grep -q '^PermitRootLogin no' /etc/ssh/sshd_config"
},
{
"id": "SS03",
"description": "Disable password login",
"command": [
"echo \"Sub sub menu item 3\""
],
"status": "Active",
"sed -i \"s/^#\\?PasswordAuthentication.*/PasswordAuthentication no/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Testing",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": ""
},
{
"id": "S44",
"description": "Sub sub menu item 4",
"condition": "grep -q 'PasswordAuthentication yes' /etc/ssh/sshd_config"
},
{
"id": "SS04",
"description": "Enable password login",
"command": [
"sed -i \"s/^#\\?PasswordAuthentication.*/PasswordAuthentication yes/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Testing",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'PasswordAuthentication no' /etc/ssh/sshd_config"
},
{
"id": "SS05",
"description": "Disable Public key authentication login",
"command": [
"sed -i \"s/^#\\?PubkeyAuthentication.*/PubkeyAuthentication no/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Testing",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'PubkeyAuthentication yes' /etc/ssh/sshd_config"
},
{
"id": "SS06",
"description": "Enable Public key authentication login",
"command": [
"echo \"Sub sub menu item 4\""
],
"status": "Active",
"sed -i \"s/^#\\?PubkeyAuthentication.*/PubkeyAuthentication yes/\" /etc/ssh/sshd_config" ,
"systemctl restart sshd.service"
],
"status": "Testing",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": ""
}
"condition": "grep -q 'PubkeyAuthentication no' /etc/ssh/sshd_config"
},
{
"id": "SS07",
"description": "Disable OTP authentication",
"command": [
"clear",
"! check_if_installed libpam-google-authenticator && ! check_if_installed qrencode || debconf-apt-progress -- apt-get -y purge libpam-google-authenticator qrencode",
"sed -i \"s/^#\\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/\" /etc/ssh/sshd_config || sed -i \"0,/KbdInteractiveAuthentication/s//ChallengeResponseAuthentication yes/\" /etc/ssh/sshd_config" ,
"sed -i '/^auth required pam_google_authenticator.so nullok/ d' /etc/pam.d/sshd",
"systemctl restart sshd.service"
],
"status": "Testing",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q 'ChallengeResponseAuthentication yes' /etc/ssh/sshd_config"
},
{
"id": "SS08",
"description": "Enable OTP authentication",
"command": [
"setup_google_authenticator"
],
"status": "Testing",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "! check_if_installed libpam-google-authenticator || ! check_if_installed qrencode || grep -q '^ChallengeResponseAuthentication no' /etc/ssh/sshd_config || ! grep -q 'ChallengeResponseAuthentication' /etc/ssh/sshd_config"
},
{
"id": "SS09",
"description": "Generate new OTP authentication QR code",
"command": [
"qr_code generate"
],
"status": "Testing",
"doc_link": "",
"src_reference": "",
"author": "",
"condition": "grep -q '^ChallengeResponseAuthentication yes' /etc/ssh/sshd_config"
},
{
"id": "SS10",
"description": "Show OTP authentication QR code",
"command": ["qr_code"],
"status": "Testing",
"doc_link": "",
"src_reference": "",
"author": "Igor Pecovnik",
"condition": "grep -q '^ChallengeResponseAuthentication yes' /etc/ssh/sshd_config && [ -f /root/.google_authenticator ]"
}
],
"disabled": true,
"status": "WIP",
"status": "Testing",
"author": "",
"condition": ""
}
Expand Down
65 changes: 64 additions & 1 deletion lib/armbian-configng/config.ng.system.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ function Headers_install () {

module_options+=(
["Headers_remove,author"]="Joey Turner"
["Headers_remove,ref_link"]="https://github.com/armbian/config/blob/master/debian-config-jobs#L160"
["Headers_remove,ref_link"]=""
["Headers_remove,feature"]="Headers_remove"
["Headers_remove,desc"]="Remove Linux headers"
["Headers_remove,example"]="Headers_remove"
Expand All @@ -161,4 +161,67 @@ function Headers_remove () {
apt clean
debconf-apt-progress -- apt -y autoremove
fi
}


module_options+=(
["setup_google_authenticator,author"]="Igor"
["setup_google_authenticator,ref_link"]=""
["setup_google_authenticator,feature"]="setup_google_authenticator"
["setup_google_authenticator,desc"]="Setup Google Authenticator and configure SSH"
["setup_google_authenticator,example"]="setup_google_authenticator"
["setup_google_authenticator,status"]="Pending Review"
["setup_google_authenticator,doc_link"]="https://github.com/armbian/config/wiki#System"
)
#
# @description Setup Google Authenticator and configure SSH
#
setup_google_authenticator() {
clear
# Check and install libpam-google-authenticator if not installed
check_if_installed libpam-google-authenticator || debconf-apt-progress -- apt-get -y install libpam-google-authenticator

# Check and install qrencode if not installed
check_if_installed qrencode || debconf-apt-progress -- apt-get -y install qrencode

# Enable ChallengeResponseAuthentication in sshd_config
sed -i "s/^#\\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config

# Update sshd_config and pam.d/sshd for Google Authenticator
sed -i $'/KbdInteractiveAuthentication/{iChallengeResponseAuthentication yes\\n:a;n;ba}' /etc/ssh/sshd_config || \
sed -n -i '/password updating/{p;:a;N;/@include common-password/!ba;s/.*\\n/auth required pam_google_authenticator.so nullok\\nauth required pam_permit.so\\n/};p' /etc/pam.d/sshd

# Generate QR code if .google_authenticator file does not exist
[ ! -f /root/.google_authenticator ] && qr_code generate

# Restart sshd service
systemctl restart sshd.service
}

module_options+=(
["clear_google_authenticator,author"]="Igor"
["clear_google_authenticator,ref_link"]=""
["clear_google_authenticator,feature"]="clear_google_authenticator"
["clear_google_authenticator,desc"]="Remove Google Authenticator and revert SSH configuration"
["clear_google_authenticator,example"]="clear_google_authenticator"
["clear_google_authenticator,status"]="Pending Review"
["clear_google_authenticator,doc_link"]="https://github.com/armbian/config/wiki#System"
)
#
# @description Remove Google Authenticator and revert SSH configuration
#
clear_google_authenticator() {
clear
# Purge libpam-google-authenticator and qrencode if installed
! check_if_installed libpam-google-authenticator && ! check_if_installed qrencode || debconf-apt-progress -- apt-get -y purge libpam-google-authenticator qrencode

# Disable ChallengeResponseAuthentication in sshd_config
sed -i "s/^#\\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication no/" /etc/ssh/sshd_config || \
sed -i "0,/KbdInteractiveAuthentication/s//ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config

# Remove Google Authenticator configuration from pam.d/sshd
sed -i '/^auth required pam_google_authenticator.so nullok/ d' /etc/pam.d/sshd

# Restart sshd service
systemctl restart sshd.service
}

0 comments on commit b6b5fdb

Please sign in to comment.